Attacks on healthcare organisations increase
A study released in May 2015 of 90 covered healthcare organisations under the US Health Insurance Portability and Accountability Act (HIPAA) (see below) indicated that nine out of ten organisations had been the subject of a cyber attack. The study indicated that cyber attacks on covered healthcare organisations had increased by around 125% over the previous 5 years and could be costing the industry US$6bn annually.
The most notable recent cyber attack within the healthcare sector targeted Anthem, the second largest health insurance company in the US. According to Anthem’s recent public statements, stolen information included patient names, addresses and dates of birth, Social Security numbers, healthcare ID numbers, employment information and email addresses. Approximately 80 million individuals were reportedly affected although fortunately no medical data was stolen in that particular attack. Anthem is believed to have held approximately US$100-150m in cyber insurance, though one report suggested that a large proportion of this could be exhausted by the cost of notifying impacted persons of the breach. Anthem acknowledges that it has incurred costs to investigate and remedy the breach. Class action suits have been filed in multiple jurisdictions claiming that Anthem had not properly protected the information held in its database, including by allegedly not encrypting it. The company has also disclosed in its 10-Q for the first quarter of 2015 that state and federal agencies, including state attorneys and the FBI, are investigating the attack, its consequences and Anthem’s responses.
Other damaging attacks on healthcare institutions have occurred elsewhere. In Asia, for example, the medical faculty at the Chinese University of Hong Kong was targeted by cyber-criminals towards the end of 2014, when its servers containing the personal medical data of over 10,000 patients were not only compromised, but also encrypted by the hackers and held for ransom.
Health data carries unique cyber security risks
According to a recent report by PWC, a single individual's personal information dossier can be worth up to US$1,000 if it includes health-related data. Personal health data is particularly sought after within criminal communities because it can be used to develop fake credentials that may be effective for years (unlike a stolen credit card, which can be cancelled within hours). These fake credentials can be used to purchase medical prescriptions (that can be resold), or used to make false medical claims on health insurance and to perpetuate other forms of identity theft.
To date, reported cyber attacks in the health sector almost exclusively involve stolen data. However, health-related cyber attacks can also pose safety threats to individuals. For example, hackers could potentially alter patient medical data, misleading doctors into making incorrect diagnoses and administering incorrect treatments. Medical devices could also be hijacked and manipulated in ways that are harmful to patients.
General legislation has been slow in coming
Major legislative bodies in the US, Europe, and Asia are considering potential large-scale solutions to cyber security risks, but progress to date has been slow.
In the US, President Obama signed Executive Orders in February 2013 and 2015 to facilitate agencies' exchange of classified cyber security information with companies in order to promote stronger security systems. The 2013 Executive Order was introduced in place of earlier legislative proposals that failed to pass through Congress which would have given the Department of Homeland Security powers to enforce minimum cyber security standards for the protection of critical infrastructure.
In January 2015, President Obama announced new legislation aimed at enhancing cyber security by authorising information sharing between private and government entities, as well as among private entities. . In the meantime, Congress has been pursuing its own legislative proposals in the form of the Protecting Cyber Networks Bill (House)/ Cybersecurity Information Sharing Bill (Senate) and the National Cybersecurity Protection Advancement Bill. The former has received the public backing of the Obama administration, despite having threatened to veto an earlier version cyber security data sharing legislation over privacy concerns.
Within the EU, a cyber security directive has been in development since early 2013. The draft directive proposes mandatory breach notification requirements and increased baseline security standards, that would also be passed on to suppliers. In November 2014, the Commission, Parliament and Council failed to reach agreement in trilogue negotiations on whether to include certain market operators and internet enablers within the obligations of the directive. Further negotiations are expected to take place under the Latvian Presidency of the EU Council. Once adopted, Member States will have 18 months to enact national implementing legislation.
Regulators lead the charge - by requiring businesses to protect themselves and their data
As national and regional legislative bodies continue to discuss new cyber security laws, regulators (such as the SEC and securities and market regulators in other countries) and government agencies have recognised the threat and responded with guidance, circulars and specific cyber security requirements on entities they regulate, including healthcare operators.
In October 2014 the FDA issued detailed guidance notes on cyber security measures to be taken with respect to medical devices and recommended disclosures in the pre-market submissions. The guidance applies to all medical devices that contain software and software that itself constitutes a medical device. The FDA guidance provides that the level of security required will depend on factors including the intended use, the likelihood the vulnerability may be exploited and the probable risk of patient harm. Device makers should provide a full description and justification in their pre-market submissions for the security measures they have adopted. The FDA advises manufacturers to address security during the design and development of devices and establish a vulnerability and impact assessment matrix.
In the health context, the rules adopted under the HIPAA for maintaining the privacy and security of individually identifiable health information amount to the most comprehensive set of cyber security rules adopted in the US to date. The ‘Security Rule’ laid down by HIPAA was modified and implemented by the US Department of Health and Human Services in 2013 in the so-called HIPAA Omnibus Final Rule. The Security Rule now applies to ‘covered entities’ - primarily hospitals, clinics and health insurers - as well as ‘business associates’ of covered entities. A business associate means any independent contractor or subcontractor that retains or processes electronic health information. Cloud service providers, data analysis firms and potentially other types of e-health businesses could be caught by the ‘Security Rule’ if they have a contractual supply relationship with a covered entity.
Under the modified ‘Security Rule’, covered entities and their business associates must adopt a series of cyber security safeguards at the administrative level (for example, security policies, workforce training), the physical level (for example, separate server rooms, locked doors, alarm systems) and the technical level (for example, data encryption, anti-hacking/ malware software, secure IDs and passwords). In addition, both covered entities and their business associates are responsible for disclosing successful cyber-attacks in which non-encrypted health data is accessed or stolen, and they are responsible for mitigating the harmful effects that would result from a breach.
There are relatively few specific cyber security standards for medical devices in Europe currently.
Respondents to a consultation by the European Commission green paper on mobile health, published in January 2015, were in favour of strong security safeguards. The most popular security measures put forward in the consultation were wider use of data encryption and authentication mechanisms. Responses said health data should be encrypted both ‘in transit’ (during communication) and ‘at rest’ (during storage). Respondents were divided on whether to exclude technology-specific security requirements or on the other hand to mandate the use of certification of security measures for mobile health devices. In France it is already a requirement that cloud providers obtain certification by a national public authority (ASIP Santé) before they can store health data.
The Commission has said that during 2015 it will come forward with a set of policy responses based on the results of the public consultation. In its report the Commission acknowledged that a code of conduct or guidelines for issues such as security would be beneficial.
Could regulators move to independent testing and validation of security controls?
Although existing guidance in this area is generally not mandatory and encourages self-disclosure, it is possible that healthcare regulators may move in the direction of a more interventionist approach in future. This could include independent testing and validation of cyber security measures in higher risk apps and devices that are classified as medical devices. For instance there are some indications arising from the EU consultation that the Commission may favour mandatory certification of encryption and other security measures in some situations. In the aftermath of recent cyber attacks there have been increased calls for the adoption of encryption as standard practice for non-financial data as well as for financial data (including in the Mauritius Declaration on the Internet of Things issued at the 36th International Conference of Data Protection and Privacy Commissioners in October 2014).
In the financial markets, the US Commodity Futures Trading Commission (CFTC) has said that it is seeking industry and government agency views on systems testing procedures for trading software used at derivative clearing houses and exchanges. The CFTC held a staff roundtable on cybersecurity and system safeguards testing in March 2015, ahead of which the CFTC Chairman is reported to have raised the question in a public speech whether the testing should be done by independent experts. The Bank of England has already taken steps in this direction under its CBEST vulnerability testing framework. The Bank of England works with accredited cyber intelligence firms to gather threat intelligence and probe the resilience of the systems of financial institutions through penetration testing. CBEST is a voluntary program but the Bank of England has said that it may follow-up individually with core firms and financial market infrastructures that decline to participate.
The adoption of independent screening of security controls in medical apps and devices by medical regulators if it were to occur may in turn lead to the adoption of standardised pre-vetted security technology.